Black Hat/Def Con
The Magic is in the Mix

by

Richard Thieme

How time flies.

Eight years ago, one hundred computer hackers who had connected only in
cyberspace - mostly through bulletin boards - decided to meet in Las Vegas,
Nevada. Why Las Vegas? "It's the only city that builds hotels faster than
we can use them up," said one. 

The con took root and began to grow. And grow. And grow. 

This year, nearly six thousand "hackers" of multiple generations, corporate
security gurus, intelligence officers, journalists, corporate recruiters,
Feds, and scene junkies came to the Alexis Park Hotel, a non-gaming resort
hotel, as well as to the more mainstream two-day security conference, the
Black Hat Briefings, that precedes Def Con at Caesar's Palace. 

Founded and led by Jeff Moss, a.k.a. Dark Tangent, Def Con began sponsoring
The Black Hat Briefings four years ago. Originally conceived as a forum for
security experts presented by elite hackers, Black Hat has grown from 350
to more than 1500. Black Hat also offers annual conferences in Amsterdam
and Hong Kong and is adding specialized seminars like Security for Windows
2000. Moss recently left his job with Secure Computing to devote himself
full time to growing Black Hat/Def Con.

Eight years after its modest beginnings, the magic of Black Hat/Def Con is
in the mix. While some mourn the loss of the old days, when Def Con more
closely resembled hacker-only cons like Pump Con, Summer Con and Cuervo
Con, Moss always intended Def Con as a bridge world that would include many
"straight" government and corporate computer security experts. He saw that
real security was created through collaborative conversation. A Federal
Panel this year including Art Money, Asst. Secretary of Defense, opened Def
Con this year and testifies to the success of Moss' effort. 

In contrast to H2K, a hacker gathering held earlier this summer in New York
which seemed to many like a Woodstock reunion running on the fumes of an
obsolete ideology, BH/DC has grown with the times. Moss now has multi-year
contracts with hotels, and the "Def Con goons," volunteers who serve as
support staff, while still in evidence, are now joined by professional
convention organizers.

Of course, other computer security conferences have evolved too, such as
SANS, CSI, Usenix, and TIS. Thanks to the open borders of the Internet,
computer security is big business. So how well does Def Con/Black Hat stack
up as a security conference? Why do so many people come to the burning
desert in July when other conferences are available?

First, a disclaimer I have spoken at Def Con for five years and at Black
Hat for four years. BH/DC is a primary community for me populated with
friends and colleagues. So I asked others for evaluations. While Def
Con/Black Hat does not get straight A's from everyone, all agreed that the
unique flavor of the multi-ring circus, with its great diversity of
resources, and the good to high quality of technical presentations, make it
a "must go" on many lists.

Vaughn Hendricks, Staff Systems Integrator of Lockheed Martin Mission
Systems and SIPRNET Project Manager, NAVSEA OO1, has worked in computing
for 35 years and computer security for 20. He limits the conferences he
attends to Black Hat/DefCon and CSI. 

"In the military, I worried about our classified operations and still do,
working for government sites since officially 'retiring.' Black Hat/Def Con
offers a unique opportunity for collaboration between good guys and bad
guys. I can listen to premiere network security gurus and ex-hackers and
discuss vulnerabilities in depth. I've been to both for two years - you get
Def Con for free when you go to Black Hat - so it's at the top of my list
for gathering information for protecting government resources." 

Noid, a Sr. Security Engineer for SecurQuest, an Irvine, CA based security
firm, believes that "BH/DC has a certain edge that no other mainstream
security convention can compete with. When it comes to hacking systems or
being on the cutting edge of protecting systems, there's a certain mindset
one must possess, and all of the speakers at BH/DC have it. I've been to
most mainstream conventions and they're 
good at teaching textbook methods of attacking/defending systems, but at BH/DC
you get to talk face to face with the person who pioneered the particular
attack/defense, which you can't get anywhere else. I went to SANS this
spring, for example, and they taught us all about L0phtcrack and BO2k. It
was informative and interesting, but at DefCon I can have a beer with Mudge
(author of L0phtcrack) or DilDog (author of Back Orifice 2000) and have my
questions answered directly by the authors."

Those unique resources were also emphasized by Drew Fahey, Computer
Security & Investigative Specialist for e-fense, Inc. in Englewood
Colorado.  "Black Hat and Def Con are invaluable," he said. "You don't go
for hands-on training, you go to meet new people and see who is really
ahead in Information Security.  That is not to say you don't get good
information at Usenix or SANS, but you don't get to meet members of the
"underground" or groups like CDC (Cult of the Dead Cow) at traditional
security conferences. You really have to experience it to understand its
value."

Charles Neal, Senior Director, Cyberterrorism Detection & Incident Response
for Exodus Communications, Inc. and recently retired FBI Supervisory
Special Agent of the LA regional computer crime squad attended his first
Black Hat and was impressed.

"Black Hat brings people closer to the edge of the black and white side of
the security knife than other security conferences normally do," he
reflected. "There are thought provoking topics, more than occasional good
debates in and out of sessions, and opportunities for good personal
contacts. That made it a valuable experience, in spite of a few speakers
with good knowledge but underdeveloped presentation skills."

Other security conferences provide solid information in a traditional
setting. Other hacker cons provide forums for gray hats and black hats. But
Black Hat/Def Con provides a unique blend of white, gray, and black hats
and the opportunity for real networking and dialogue among them.

Richard Thieme (rthieme@thiemeworks.com) is a contributing writer for
Information Security. He writes, speaks, and consults on the human
dimensions of techology and the workplace. 
